[Bug 287461] pf overload rule overrides other filters

Reply: bugzilla-noreply_a_freebsd.org: "[Bug 287461] pf overload rule overrides other filters"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Thu, 12 Jun 2025 04:06:28 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=287461

            Bug ID: 287461
           Summary: pf overload rule overrides other filters
           Product: Base System
           Version: 14.3-RELEASE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: misc
          Assignee: bugs@FreeBSD.org
          Reporter: bc979@lafn.org

pf.conf extract on server 'mail':

block in quick log on $ext_if proto tcp from <woodpeckers> to any port $SMTP
pass in inet proto tcp to any port $SMTP \
       flags S/SA keep state \
       (max-src-conn 20, max-src-conn-rate 10/60, \
       overload <woodpeckers> flush global)
block in quick log on $ext_if proto tcp from any to any port $telnet

anchor "blacklistd/*" in on $ext_if


mail# pfctl -a blacklistd/25 -tport25 -Ts
   10.0.1.235
mail# 


From machine with IP 10.0.1.235:
test# telnet mail 25
Trying 10.0.1.230...
Connected to mail.
Escape character is '^]'.
220 mail.sermon-archive.info ESMTP Postfix
quit
221 2.0.0 Bye
Connection closed by foreign host.


The presence of the overload function overrides the blacklistd rules.  The
connection is made even though there is a blocking IP address in the table.

I don't know if this is an intended feature or a bug.  In either case it is not
documented anywhere I could find.

-- 
You are receiving this mail because:
You are the assignee for the bug.